UD-1190: Add support for plugin pod annotations and plugin service ac…

knrc commented 6 months ago

…count annotations

Description

This PR enables annotations to be provided for each plugin pod and for the plugin service account.

One use of this would be to enable access to specific IAM roles when running in EKS, for example for Trivy to access a private ECR.

Linked Issues

How has this been tested?

Creation of a private ECR, an EKS cluster and a deployment of an image from the private repo
Helm installation of zora using the following options
- --set scan.plugins.annotations.eks\\.amazonaws\\.com/role-arn=arn:aws:iam::127647282379:role/undistro-test-ecr-role (annotation on the ServiceAccount, must use the role created for accessing the ECR)
- --set scan.plugins.marvin.podAnnotations.marvin-annotation="marvin-value"
- --set scan.plugins.popeye.podAnnotations.popeye-annotation="popeye-value"
- --set scan.plugins.trivy.podAnnotations.trivy-annotation="trivy-value"
check service account for annotation
- kubectl get sa zora-plugins -o jsonpath='{.metadata.annotations}'
check cronjobs and executed pods for annotations
- kubectl get cronjob -l zora.undistro.io/plugin=marvin -o jsonpath='{.items[*].spec.jobTemplate.spec.template.metadata.annotations}'
- kubectl get cronjob -l zora.undistro.io/plugin=popeye -o jsonpath='{.items[*].spec.jobTemplate.spec.template.metadata.annotations}'
- kubectl get cronjob -l zora.undistro.io/plugin=trivy -o jsonpath='{.items[*].spec.jobTemplate.spec.template.metadata.annotations}'
- kubectl get pods -o jsonpath='{.items[*].metadata.annotations}'
check dashboard for vulnerabilities from private repo images
check trivy pod to ensure there are no errors for the images from a private repo

Checklist

[X] I have labeled this PR with the relevant Type labels
[ ] I have documented my code (if applicable)
[ ] My changes are covered by tests

knrc commented 6 months ago

It's important to ensure all parameters are included in values.yaml for users who reference to this file to understand the available options and to ensure the consistency of auto-generated chart documentation.

@matheusfm I've added them into values.yaml, with examples to ensure the docs are generated appropriately

knrc commented 6 months ago

Thank you @knrc I think the only thing missing was commenting out the annotation examples, like in the Marvin section, right?

No, I did that originally but the generated document had each as a string. I left the examples in there so they would generate the appropriate content.

knrc commented 6 months ago

Thank you @knrc I think the only thing missing was commenting out the annotation examples, like in the Marvin section, right?

No, I did that originally but the generated document had each as a string. I left the examples in there so they would generate the appropriate content.

Note I'm not convinced that the generated content is even correct, since the original content I added by hand is what you need to use for the helm command line. I'll see if there's an alternative which gives the right content.

matheusfm commented 6 months ago

I would try set {} as default.

      podAnnotations: {}
#        trivy-annotation: trivy-value

knrc commented 6 months ago

I would try set {} as default.

      podAnnotations: {}
#        trivy-annotation: trivy-value

Yeah, this worked to change it to an object but wasn't really what I was looking for. I was hoping there was some way of specifying examples but couldn't find it, the only examples appear to be the assumed defaults set in the values.yaml file.

undistro / zora